Commit Graph

95 Commits

Author SHA1 Message Date
Russell Keith-Magee 33076af6f2 Corrected an issue which could allow attackers to manipulate session data using the cache. A security announcement will be made shortly.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16759 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-10 00:46:48 +00:00
Jannis Leidel fb590bfa9b Replaced `has_key()` calls with `in` to ease Python 3 port. Thanks, Martin von Löwis.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16740 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-09-09 19:33:40 +00:00
Jannis Leidel 24f4764a48 Fixed #16225 -- Removed unused imports. Many thanks to Aymeric Augustin for the work on the patch and Alex for reviewing.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16539 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-07-13 09:35:51 +00:00
Alex Gaynor 20dc647ba8 Fixed a typo, and added an ``__future__`` import to the new signed cookie tets.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-26 19:22:53 +00:00
Jannis Leidel c817f2f544 Fixed #16199 -- Added a Cookie based session backend. Many thanks to Eric Florenzano for his initial work and Florian Apollaner for reviewing.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@16466 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-06-26 17:00:24 +00:00
Russell Keith-Magee d60ae0b721 Removed deprecated 'no' translation
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15988 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-04-02 08:43:43 +00:00
Luke Plant c0caac87f9 Removed Django 1.2 compatibility fallback for session data integrity check hash.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15954 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-30 17:35:22 +00:00
Adrian Holovaty a87be3554f Removed a bunch of Python 2.4 workarounds now that we don't support it. Refs #15702 -- thanks to jonash for the patch. Splitting this over muliple commits to make it more manageable.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15926 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-28 01:40:43 +00:00
Jannis Leidel ada8e2a6fa Pulled translation updates from Transifex again.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15886 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-20 22:16:14 +00:00
Ramiro Morales 5347bbd514 Fixed plural forms formula for the Croatian (hr) localization by manually overriding the header of affected .po files and re-generating .mo files, this seems to be a quirck in Transifex export to PO functionality. Thanks bmihelac fot the report. Refs #15634.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15875 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-17 22:56:10 +00:00
Jannis Leidel d31cf12be1 Pulled sessions translation updates from Transifex.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15836 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-15 20:12:38 +00:00
Jannis Leidel 90564a156c Fixed Hungarian, Russian, Serbian and Ukranian plural forms introduced in r15680.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15752 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:07:11 +00:00
Jannis Leidel c11140d04b Fixed plural forms of Irish translation introduced in r15680.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15751 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:05:10 +00:00
Jannis Leidel 53b2a25396 Fixed plural forms of Welsh translation introduced in r15680.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:04:31 +00:00
Jannis Leidel bef353873e Fixed plural forms of Bosnian translation introduced in r15680.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15749 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-04 01:03:14 +00:00
Jannis Leidel 9838ba0db7 Updated sessions translations from transifex.net. Refs #15300.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15694 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-03-01 09:12:43 +00:00
Alex Gaynor 6ca7c9c495 Fixed a security issue in the file session backend. Disclosure and new release forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15467 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-09 02:13:24 +00:00
Russell Keith-Magee 7536f63b32 Fixed #14768 -- Added an es_MX locale and initial translation. Thanks to Alonso Bautista Villalobos and the rest of the Mexican translation team.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15433 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-02-06 06:06:29 +00:00
Carl Meyer b8a8066ac4 Fixed duplicate-named contrib.sessions tests, and removed unused import (cleanup from doctest conversion).
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15377 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-31 18:37:28 +00:00
Jannis Leidel ddb9df78a6 Added new translation files to sessions contrib app.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15270 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-21 19:19:44 +00:00
Russell Keith-Magee 993612c84d Fixed #15026 -- Added cleanup to the invalid key session tests; when using Memcached as a cache backend, the cache-backed session backends would fail on the second run due to leftover cache artefacts. Thanks to jsdalton for the report and patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15235 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2011-01-17 14:03:19 +00:00
Russell Keith-Magee 78be884ea7 Fixed #3304 -- Added support for HTTPOnly cookies. Thanks to arvin for the suggestion, and rodolfo for the draft patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-26 13:30:50 +00:00
Luke Plant f6363bc628 Fixed potential circular import problem.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14564 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-14 23:35:16 +00:00
Luke Plant 0324151bec Fixed #14685 - incompatible code in contrib.sessions.models
Thanks to PaulM for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14562 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-11-14 22:23:46 +00:00
Russell Keith-Magee ea85d4303d Fixed #14231 -- Added an index to the expire_date column on the Session model. Thanks to joeri for the report, via Frodo from Medid.
This won't affect any existing session tables; see the release notes for migration instructions.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14378 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-28 11:56:37 +00:00
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00
Russell Keith-Magee 121d2e3678 Fixed #12991 -- Added unittest2 support. Thanks to PaulM for the draft patch, and to Luke, Karen, Justin, Alex, Łukasz Rekucki, and Chuck Harmston for their help testing and reviewing the final patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14139 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-11 12:55:17 +00:00
Russell Keith-Magee a904e55859 Fixed #11509 -- Modified usage of "Web" to match our style guide in various documentation, comments and code. Thanks to timo and Simon Meers for the work on the patch.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@14069 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-09 08:12:50 +00:00
Russell Keith-Magee 597e03cd74 Fixed #14096 -- Corrected Python 2.4 syntax issue. Thanks to PaulM for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@13579 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-14 12:11:02 +00:00
Luke Plant 5eece23296 Converted sessions tests from doctest to unittest.
Also made the FileSession backend consistent with other backends in one
corner case uncovered by the conversion, namely that the backend should
create a new key if the one passed in is invalid.



git-svn-id: http://code.djangoproject.com/svn/django/trunk@13482 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-08-05 11:49:58 +00:00
Russell Keith-Magee 962defed0a Fixed #13200 -- Updated the DB session backend to make full use of routers, deprecating the need for the SESSION_DB_ALIAS setting. Thanks to rokclimb15 for the report.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12844 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-03-25 10:29:06 +00:00
Adrian Holovaty 5ceed0a053 Changed a whole bunch of places to raise exception instances instead of old-style raising exception classes plus a comma. Good for the future Python 3 conversion
git-svn-id: http://code.djangoproject.com/svn/django/trunk@12180 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-01-10 18:36:20 +00:00
Russell Keith-Magee ff60c5f9de Fixed #1142 -- Added multiple database support.
This monster of a patch is the result of Alex Gaynor's 2009 Google Summer of Code project.
Congratulations to Alex for a job well done.

Big thanks also go to:
 * Justin Bronn for keeping GIS in line with the changes,
 * Karen Tracey and Jani Tiainen for their help testing Oracle support
 * Brett Hoerner, Jon Loyens, and Craig Kimmerer for their feedback.
 * Malcolm Treddinick for his guidance during the GSoC submission process.
 * Simon Willison for driving the original design process
 * Cal Henderson for complaining about ponies he wanted.

... and everyone else too numerous to mention that helped to bring this feature into fruition.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@11952 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-12-22 15:18:51 +00:00
Jacob Kaplan-Moss c485e236bd Fixed #8193: all dynamic imports in Django are now done correctly. I know this because Brett Cannon borrowed the time machine and brought Python 2.7's '`importlib` back for inclusion in Django. Thanks for the patch-from-the-future, Brett!
git-svn-id: http://code.djangoproject.com/svn/django/trunk@10088 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-18 16:55:59 +00:00
Malcolm Tredinnick d77236960a Fixed #9548 -- Correctly detect existence of empty sessions with cache backend.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9934 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-03-01 07:32:41 +00:00
Jacob Kaplan-Moss 299e1e814f Fixed #6791: added a write-through cache session backend: session data is written through the cache to the database, but read from the cache for speed. Thanks to jhenry, mcroydon, and jdunck.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9727 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2009-01-10 22:18:14 +00:00
Jacob Kaplan-Moss b21ea0a836 More be-nice-to-the-buildbot: be better about cleaning up files created by the cache/session tests.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9224 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-10-10 21:41:12 +00:00
Malcolm Tredinnick a10fcbdb8b Fixed #9096 -- Fixed a slightly out-of-date comment.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@9062 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-17 08:10:55 +00:00
Jacob Kaplan-Moss 89633c3077 Fixed a small oversight in [8750]; thanks for the sharp eyes, Warren. Fixes #8616.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8812 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-09-01 20:25:16 +00:00
Jacob Kaplan-Moss eebc7caa63 Fixed #8616 (again): prevent a race condition in the session file backend. Many thanks to Warren Smith for help and the eventual fix.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-30 20:50:41 +00:00
Malcolm Tredinnick 3717e3bba3 Reverted #8688 for now, since it merely introduced different bugs, rather than
fixing the problem. We have a plan B (and plan C, if needed), so this will be
fixed in a different way.

Refs #8616.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8707 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 17:32:21 +00:00
Malcolm Tredinnick 02f86a1c7c Fixed #8616 -- Fixed a race condition in the file-based session backend.
Thanks to warren@wandrsmith.net for the patch.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8688 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-29 01:44:11 +00:00
Malcolm Tredinnick ee28560997 Fixed #8311 -- Avoid an infinite loop with session key generation when using
the cache backend and memcached goes away (or is not running).


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8620 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-27 08:58:51 +00:00
Malcolm Tredinnick 213f294638 Avoid a crash when unencoding session data for the db backend. This is required
because some configurations of MySQL (with utf8_bin collation) will return
bytestring, rather than unicode data, which was causing problems previously.

Refs #8340.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8507 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-23 22:59:04 +00:00
Malcolm Tredinnick c8c159cbba When logging in, change the session key whilst preserving any existing
sesssion. This means the user will see their session preserved across a login
boundary, but somebody snooping the anonymous session key won't be able to view
the authenticated session data.

This is the final piece of the session key handling changes.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8459 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-21 13:54:53 +00:00
Malcolm Tredinnick eb85af1865 Fixed #8457 -- Fixed a missing import.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8451 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-20 21:12:45 +00:00
Malcolm Tredinnick 54f9a98713 Fixed #8351 -- Fixed the returned value when we attempt to load a cache-backed session object that doesn't alreayd exist.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8410 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-16 15:54:36 +00:00
Malcolm Tredinnick 0d48087a53 Made a few small tweaks to reduce persistent storage accesses in the session
backend. Refs #8311, although doesn't fix the problem there.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8381 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-15 14:59:11 +00:00
Malcolm Tredinnick 9e423b51e3 Fixed #8314 -- Fixed an infinite loop caused when submitting a session key (via
a cookie) with no corresponding entry in the database.

This only affected the database backend, but I've applied the same fix to all
three backends for robustness.


git-svn-id: http://code.djangoproject.com/svn/django/trunk@8351 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 19:43:08 +00:00
Gary Wilson Jr f9301fa8f4 Removed some testing code inadvertently commited in [8348].
git-svn-id: http://code.djangoproject.com/svn/django/trunk@8349 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2008-08-14 15:41:38 +00:00